Parser

Most recent version: v1.0.1

See the changelog of this Action type here.

Overview

The Parser Action gives structure to and divides a JSON, Key-Value, CSV, Delimited Values, Fixed Length, or XML file into separate fields.

Ports

These are the input and output ports of this Action:

Input ports
  • Default port - All the events to be processed by this Action enter through this port.

Output ports
  • Default port - Events are sent through this port if no error occurs while processing them.

  • Error port - Events are sent through this port if an error occurs while processing them.

Configuration

1

Find Parser in the Actions tab (under the Transformation group) and drag it onto the canvas.

2

To open the configuration, click the Action in the canvas and select Configuration.

3

Enter the required parameters:

Parameter
Description

Select field to parse*

First, choose the field to parse from your input data by typing it in the search bar or selecting it from the list.

Input*

This is where you specify how to read the incoming data:

  • real_data - This is the data taken directly from the linked Listener.

  • paste - There may be times when you will receive a file with updated data for the Listener. If this is the case, you can paste it here.

In the Events drop-down, you can write how many events to show in this window.

Now you have specified where to source the data from, you need to determine how to process the events.

Parser*

There are two ways to parse your data:

  • auto - Automatically parses all key-value fields.

  • manual - Manually split fields and rename them.

Here you can view the fields as a list, or as code. Each data type has a color. Learn more here.

The language and grammar used to parse is PCL (Parser Configuration Language). We have provided an extensive run-down of each command in this article.

Now that we have decided which field, from where, and how to parse, we need to specify the interpretation of the output for the next action.

Output*

Here you can see the raw message that has been generated.

Below, each individual field is color-coded according to the legend and separated into its type and name.

Here you can change the data type and edit the field name.

For fields containing subfields (field.subfield), changing the field name will change all of the prefixes.

4

Click Save to complete the process.

Example

Learn how to use the Parser with this example.

We have opened the configuration of the Parser to our Pipeline, which receives data from the linked Listener.

First we must select the field to parse from the Listener to separate into more specific data. This is the field containing the raw data.

In the Input field, select Real data if you feel comfortable with how the Parser works.

Select Paste and paste this log to follow along with us for the various examples of log sources.

A CSV file using "," as a separator

Log to paste

2024-10-02T14:22:03Z,DESKTOP-1234,FileExecution,notepad.exe,4321,JohnDoe,192.168.1.2,a3b5c2d4e6f7,35

Select Auto to automatically parser this data into separate fields.

The parser will automatically parse the log, having recognized the separator. The default values will be fieldName1,2,3 etc.

Now we have decided which field, from where, and how to parse, we need to specify how it is output to the next action. In the output field, we can change the names of each field.

  • TIMESTAMP

  • HOSTNAME

  • EVENT TYPE

  • PROCESS NAME

  • PROCESS ID

  • USERNAME

  • IP ADDRESS

  • HASH

  • THREAT SCORE

Click Save.

Last updated

Was this helpful?